While reverse-engineering this trojan I realized it's a new of can of worms for mobile devices. There have long been malicious downloaders on PCs, but I believe this is the first to be discovered for mobile devices.

The website from which this software was downloading additional components is offline. Analyzing this trojan without all of the downloaded parts from its server is a bit like completing a puzzle without all of the pieces. You have to determine the "shape" of the missing pieces by visualizing the empty spaces and by filling in the gaps.

So I'm still spending some time reading through the code and there are pieces that raise my interest. One of which you can see in the image below, and nobody else is mentioning as of yet —SMS.

Thank you for your video about the DNS changer trojan horse being targeted to Mac computers.I was wondering if you could offer assistance. My computer has been infected by this trojan horse…

This is what happened:

RLV thought that his Mac was infected with a DNSChanger trojan and so he started doing some research. His search results located our video but the demo and his personal experience didn't sync because he wasn't prompted for his password as was demonstrated.

He then contacted us and we requested his samples. Well, his sample files were indeed a variant of Trojan:OSX/DNSChanger.

So we followed-up again. With a few more details, we realized that he had installed Intego's VirusBarrier before the "infection" and not afterwards as we had original thought. So the trial version of VirusBarrier had done its job and had prevented the installation of the DNSChanger.

Any AV activity being an uncommon event on a Mac, RLV interpreted the "infected files" notification on his hard drive as a successful system infection.

With another round of messages, we expressed confidence that his Mac was fine and provided him with information on DNS settings along with suggestions on how to test his system in order to confirm that it was clean. If his DNS settings were okay, then his personal information was okay as well. In any case, DNSChangers are more interested in making money by altering search results.

Excerpts from RLV's last message:

Thank you again for your message and for your really great help.

I called Apple and spoke with a couple of their reps. […] The reps were incredulous about the existence of malware specifically targeting Macs. They looked up articles about it while we were on the phone — they wouldn't believe me until they looked it up for themselves.

Doesn't hurt to be informed, or to doublecheck, even though it is a rare occurrence for Macs. Everyone I talked to was denying any malware vulnerability for Mac platforms, which struck me as not the best attitude to take.

I'm grateful for the help offered by you and f-secure and hopefully I won't be needing it again!

We hope so too. In his messages, RLV came across as a gentlemen. There are several Mac users here in the lab and we were happy to assist him with something a bit outside of our normal routine.

When Krebs contacted the Supplier's ICQ address and attempted to play along, he was offered a certified check rather than an EMT. Certified checks can be faked — that sounds more like an advance fee fraud such as we wrote about on February 1st.

Either they didn't trust Krebs or it makes for a rather risk-free fraud for the bad guys. How many victims are going to complain to the bank if they're scammed while attempting to launder money?

Here's a screenshot of a site that we discovered back in December, BGI-Funds:

It's of a PHP based Bulletin Board that's used for money laundering recruitment.

We searched for the following text taken from the site:

I'll get right to the point. I have large amount of funds

At the top of the search results was a Symantec post (September '07) making the link between Storm spam and a copy of the phpBB site. So that pretty much confirmed what we wanted to know.

Returning to the search today — the site's still alive — though the name has changed several times. Submitting a Google search for Paid for Receiving Bank Transfers provides a large number of results.

Most of the sites are offline; you'll need to view the cache to see an example.

We located two sites that are currently active. They're hosted using fast flux:

Another example:

New forum members have been signing up at both locations in order to communicate with the site's Admin (who promises 10%). The membership list appears to be merged prior to February of this year. Posts to the forum date back to the end of 2004. The recycled forum will apparently survive as long as does the Storm botnet.

One curious thing about the membership list… of those that provide their location, the majority are Canadians. What's up with that?

So I was in Sao Paulo this week trying to investigate why exactly Brazil is the largest source of new banking trojans in the world. After a day of meeting with local banks, I heard about an interesting event underway in Parque Ibirapuera.

A local fair center was hosting Campus Party Brazil — a massive LAN party. So of course I had to pay it a visit.

The event resembled the infamous Assembly party in many ways — with some notable differences. There were a few thousand tents in which the party people were sleeping. Nobody was writing demos. There was an ongoing series of lectures going on — I noticed one was about using Nepenthes. The party lasted a week. And the most astonishing part — check out the individuals that are endorsing this event: Campus Party endorsers.

Below are some random photos I snapped at the party.

Thanks to Marcelo (hackerteen.com.br) and Rodrigo for helping me to hook up with Campus Party!

In July of 2006 we did some searching for potentially unwanted applications; recycled or repackaged applications that were of dubious value. Affiliate marketing is used to promote sales and unfortunately such systems often provide economic incentives to cheat.

Those earlier search results contain some links to known rogue antispyware sites, but in general it's mostly harmless optimization software. (The real value of which is unknown to us.) Interestingly, since 2006 there are now many French, Spanish, Italian, and German localizations in the results. Everything is localized except the Privacy Policy text we searched for.

Now to the present — being less interested in PUAs and more interested in known bad Rogues, we tried a few different searches last week.

Starting with a new Rogue (VirusHeat, circa Feb. 8th) we used this text from the affiliate page: Being associated with one of the most known innovative software solutions developer whose mission is to protect the privacy and security of Windows computer users.

The Google search results produced a number of known bad guys. Many of the search links are blocked by StopBadware.org.

Click the image below for an example of the recycling (animated GIF). Attack of the Clones:

This Rogue list included applications that we've seen elsewhere. Where?

On a list of applications hosted by the Russian Business Network.

RBN is an infamous underground ISP that provides bulletproof hosting. The site www.antispyzone.com isn't among the results and the URL doesn't currently resolve (server not found). However, using the site's last known IP address from a list of RBN associated IP Addresses, we located the page.

It uses the very same text on its affiliate page. They're all bad Rogues…

There have been several security updates for a number of popular applications in the last week or so.

All of these applications — Apple QuickTime, Adobe Reader, Mozilla Firefox, Skype, and Sun Java JRE — have a large installed base. They're targets so make sure you have the most secure version available.

Their current spam run directs recipients to a site hosting their malicious download. If you open the site, you'll be prompted to download the file after five seconds.

It's a rerun of the Valentine's Day theme with new subject lines such as "Love Rose", "Rockin' Valentine", and "Just You". The Web site produces random images with each visit and then let's not forget the filename — valentine.exe.

Less than a month ago, we saw the first run and now that Cupid is preparing his bow for Valentine's Day, they have resumed their campaign.

They'll keep on doing it as long as people keep falling for it.

As we blog, we detect this as Email-Worm:W32/Zhelatin.TQ.

So be sure to keep your virus definitions up to date, your computer patched, and don't be part of the Storm botnet this Valentine's Day. We'll keep an eye on their next move.

Seven men are being prosecuted in Sweden for running an illegal online pharmacy.

These men are accused of running several web shops selling prescription drugs without a prescription. They started operations in 2003 and generated several million Euros in revenue until they were shut down in 2007. By this time they had sold drugs to 65 different countries.

The gang was caught after a cashier at a post office thought it was suspicious that the same man came every day, day after day for several months to send bags of stuff to foreign countries. She alerted the police, they opened one of the envelopes and found drugs.

This case was covered widely in Swedish newspapers on Monday morning, but none of the newswire services were reporting the names or web addresses of their shops.

So, we called the Stockholm district attorney and got the names from her. The sites were:

247-drugstore.com

no1onlinepharmacy.com

personalonlinepharmacy.com

The sites are offline by now (or almost), but you can find what they looked like by searching archive.org.

We were of course interested in the case to find a spam angle. However, although these shops had an active affiliate program, we were immediately unable to find cases where spam would have been used to advertise these sites. If you have a collection of spam you can search through, please check if you find links to these guys and let us know. Thanks.

If you fall for the bait and sell something for $2000, you'll receive a check for $3000. The perpetrator of the scam will then claim that a mistake was made and ask that you refund $1000 via money transfer.

So you send $1000 via money transfer, which cannot be stopped… and in the end when it finally clears, the $3000 check ends up being a fake.

It's an old fraud that uses technology for a clever new bit of social engineering.

These messages are being sent to website contact addresses and are including the site name in the body of the message. This results in a message that feels almost personalized and might potentially lower the guard of the recipient.